Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
ch1.grzhost.com
I ran this command:
sudo certbot certonly
–dns-google
–dns-google-credentials ~/.secrets/certbot/gh-dns-credentials.json
-d ch1.grzhost.com
It produced this output:
PluginError: Encountered error finding managed zone: <HttpError 403 when requesting
https://www.googleapis.com/dns/v1/projects/gh-grazehound/managedZones?alt=json&dnsName=ch1.grzhost.com.
returned “Forbidden”>
My web server is (include version): None in this case. I’m working with dns authentication.
The operating system my web server runs on is (include version): Linux Ubuntu 16.04
My hosting provider, if applicable, is: self hosted at HE
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No
I’m getting this error:
PluginError: Encountered error finding managed zone: <HttpError 403 when requesting
https://www.googleapis.com/dns/v1/projects/gh-grazehound/managedZones?alt=json&dnsName=ch1.grzhost.com.
returned “Forbidden”>
Running this command
sudo certbot certonly
–dns-google
–dns-google-credentials ~/.secrets/certbot/gh-dns-credentials.json
-d ch1.grzhost.com
Note: I was able to get my credentials file from Google, and renamed the file the above name.
I also verfied this was for the DNS services account, and created a second set of credentials with the same results.
At the end of the help request is a piece of the letsencrypt log file.
Look like I’m getting a forbidden response and the managed zone is not found.
When I run (from a browser): https://www.googleapis.com/dns/v1/projects/gh-grazehound/managedZones?alt=json&dnsName=ch1.grzhost.com.
I get:
{
“error”: {
“errors”: [
{
“domain”: “global”,
“reason”: “required”,
“message”: “Login Required”,
“locationType”: “header”,
“location”: “Authorization”
}
],
“code”: 401,
“message”: “Login Required”
}
}
When I look at my manages zones in my Cloud Shell console I get:
gcloud dns managed-zones list
NAME DNS_NAME DESCRIPTION
ch1-grzhost-com ch1.grzhost.com.
The https://www.googleapis.com/discovery/v1/apis/dns/v1/rest and
https://www.googleapis.com/dns/v1/projects/gh-grazehound/managedZones?alt=json&dnsName=ch1.grzhost.com.
both returned reasonable looking data.
Please let me know what I’m doing wrong, or what permissions I’m missing.
Regarding permission, for testing, I have give all permissions to my account, just trying to make sure
I can get things to work, before tightening thins up.
-----dns-google p
Following is a piece of the log file that shows my error.
2018-05-19 02:20:50,072:DEBUG:acme.client:Storing nonce: GZsysNmF1OH8iiYbtFWyukJjTjN3Plbh63TbySe9HUE
2018-05-19 02:20:50,073:INFO:certbot.auth_handler:Performing the following challenges:
2018-05-19 02:20:50,073:INFO:certbot.auth_handler:dns-01 challenge for ch1.grzhost.com
2018-05-19 02:20:50,079:INFO:googleapiclient.discovery:URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest
2018-05-19 02:20:50,304:INFO:googleapiclient.discovery:URL being requested: GET https://www.googleapis.com/dns/v1/projects/gh-grazehound/managedZones?alt=json&dnsName=ch1.grzhost.com.
2018-05-19 02:20:50,304:INFO:oauth2client.transport:Attempting refresh to obtain initial access_token
2018-05-19 02:20:50,308:DEBUG:oauth2client.crypt: …
2018-05-19 02:20:50,308:INFO:oauth2client.client:Refreshing access_token
2018-05-19 02:20:50,760:WARNING:googleapiclient.http:Encountered 403 Forbidden with reason “forbidden”
2018-05-19 02:20:50,761:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File “/usr/local/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 73, in handle_authorizations
resp = self._solve_challenges(aauthzrs)
File “/usr/local/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 124, in _solve_challenges
resp = self.auth.perform(all_achalls)
File “/usr/local/lib/python2.7/dist-packages/certbot/plugins/dns_common.py”, line 57, in perform
self._perform(domain, validation_domain_name, validation)
File “/usr/local/lib/python2.7/dist-packages/certbot_dns_google/dns_google.py”, line 70, in _perform
self._get_google_client().add_txt_record(domain, validation_name, validation, self.ttl)
File “/usr/local/lib/python2.7/dist-packages/certbot_dns_google/dns_google.py”, line 113, in add_txt_record
zone_id = self._find_managed_zone_id(domain)
File “/usr/local/lib/python2.7/dist-packages/certbot_dns_google/dns_google.py”, line 275, in _find_managed_zone_id
.format(e))
PluginError: Encountered error finding managed zone: <HttpError 403 when requesting
https://www.googleapis.com/dns/v1/projects/gh-grazehound/managedZones?alt=json&dnsName=ch1.grzhost.com.
returned “Forbidden”>